Cross-site scripting is the number one vulnerability on the web today. If you are writing any kind of web software, and you don’t know about this, you should know this! And if you are the kind of person who likes to play about with websites, and break them, in a definitely legal manner, you should know this.

To explain it, we have to go back to the early days of the internet. We have to go back to Tim Berners-Lee sitting at CERN, making up how the web will work. The web is based on something called HTML, HyperText Markup Language. Most people who are reading this, I think, will know how this works, but just very quickly, it means that you have tags.

An HTML document starts with angle brackets like this and closes with angle brackets like this. Anything between angle brackets is read as an instruction.

So if I wanna put some text in bold, I put a tag and a close tag, and I put some text in the middle, and that becomes bold. Those angle brackets, wherever they are in the document, mean “an instruction is coming here.”

So, what do you do if you want to put an angle bracket, which is basically a less-than sign, into your document? Well, you do something called escaping. Instead of sending the angle bracket, you send an ampersand, and then “it” for less than, and then a semicolon. And that means, when the user actually reads it, it will become an angle bracket. Great. Wonderful. And that works fine. It means in the old days of the world wide web, you could send a request, and the document would come back, and the angle brackets would not mess everything up. Then we move on a bit, and we start coming back with more interactive things. Someone comes along and invents JavaScript. And JavaScript is a programming language that sits in the middle of web pages. You start with a tag in the middle of your document. So you’ve already got your HTML here and here. You start with a tag down here. Nothing in this section will actually appear on the user’s screen. What you have here is a completely separate programming language. You can declare variables. You can do calculations. That’s vaguely sensible. You can create an entire language there, and that language can affect the document. So you can take the output from that, and you can put it into the rest of the text. So if you have, for example, an email client. Gmail uses this. Gmail uses incredible amounts of this. Because when you type in things, it sends it to the server. You don’t have to send “save” like in the early days of the web. And then it would take a second to go there and a second to come back. It just quietly does it all in the background. It’s really really powerful. It’s the way that everything big, everything interactive, works on the web now.

You can design entire games in JavaScript. And all it’s doing is creating a web page, and then just moving bits about. The trouble is that JavaScript is dangerous. It can do anything to the web page. And rightly so - that’s how Gmail works. But imagine if you could get whatever JavaScript you wanted to do anything with, say, the login page of an online bank. You could tell it that, instead of just taking the username and password and sending them to the bank’s servers, first, it should send them to someone else. And when they’ve got them, and the user won’t know that’s happened, then it should log people into the bank. are you could, say, instead of sending the words people are actually typing to the web, ignore them. Just send Rick Astley instead. This is how MySpace worms spread because you would type in the code, and it would appear, because MySpace hadn’t quite filtered JavaScript properly, and that’s the cross-site scripting bug I’ll get to in a minute. You could write anything you wanted in there, and every time someone looked at that MySpace page, the code would run! And it would say, hey, go do stuff with their profile instead. And it would.

JavaScript is dangerous because it lets you do anything on a web page. So, how do you get it in there? Let’s go to, say, Google. Here’s Google, here’s a search bar. Whatever I type in that search bar, “test”, will probably appear on the next page here: “test”. And it’ll also appear here a couple of times, and here. Whatever I type in here, appears on this web page. That’s fine. What happens if, instead, I type in an italic tag? Well, what won’t happen is that Google will send the whole page in italics. Because what they have done is they have converted it into this less-than. Which is great. Let’s imagine that instead of typing “test”, or instead of typing that, instead I type in and then some code. And as long as I write valid code there, and as long as the box is big enough, and they’re a few other hacks you can do to make that work, if, as a web developer, you forget to do that little trick that changes them from less-than signs to that code that means “put a less-than sign in there,” your web server puts the page out, and the web browser looks at that and goes, “That is JavaScript code! I’m gonna run that!” And it does. And you can use that for entertainment. I have previously used that at least one place I shouldn’t. And, of course, it doesn’t do any lasting damage. All it does is, in that case, change a load of the words on the website. It’s only visible to the one person I’ve sent it to. Which is, you know, not technically entirely legal under the Computer Misuse Act, but no one pressed charges. All I’m doing there is playing about. But the more sinister stuff you can do with JavaScript, quietly stealing passwords and user information and letting you log in as other people, all of these things are entirely possible by just letting unescaped JavaScript get into your web page. And here’s the thing. Here’s the really important thing. All you need to do is mess up once, anywhere on your site, with any user input. Something that you think is completely innocuous because someone is just typing in their age. If you forget to escape that, and someone types in a little bit of code there instead, well, congratulations, your website is now completely vulnerable. And this has happened regularly, in Google, in Facebook, in every single big site, because it’s so easy to forget. Even when every single framework out there, every single tool to help web developers has something that goes, “Guys! You’ve missed this!” “You’ve missed this! Do you really mean to do that? Are you sure you really mean to do that?” You can still mess it up. Even the big guys mess this up. And they have what are known as “bug bounties.” They will pay you money if you find something like this and then responsibly tell them. You don’t go and tell the world. If you can do that, I think someone earned something like $12,000 for finding a bug in Facebook that let people do this. So, rather than try and break things, try and mend them. Try and find something like this. If this is your thing, if this is your, something that you look at and go, “Oh, I can try and break things with this!”, do it. And then look at the big guys, and try and earn some money with it instead. Cause they will thank you, they will put your name in lights on your site, on their site, and they will pay you money. Because the alternative is the bad guys getting this, and the next time you log in to Google, your password not going where it’s supposed to.

via www.hackedwebsite.ml

Share on

This is a YourStory community post, written by one of our readers.The images and content in this post belong to their respective owners. If you feel that any content posted here is a violation of your copyright, please write to us at mystory@yourstory.com and we will take it down. There has been no commercial exchange by YourStory for the publication of this article.